Select Language:
Here’s a simple guide to fix the common error when linking a Route 53 Private Hosted Zone to a VPC in a different AWS account. The error message usually says, “no resource-based policy allows the route53:AssociateVPCWithHostedZone action,” which means there’s a permission issue.
When your VPC and Private Hosted Zone are in separate accounts, you have to go through a two-step process to authorize and then establish the connection.
First, from the account that owns the Hosted Zone, you need to create an authorization. You can do this by running the following command:
bash
aws route53 create-vpc-association-authorization –hosted-zone-id Z1234567890ABC –vpc VPCRegion=us-east-1,VPCId=vpc-0abcdef1234567890
Replace Z1234567890ABC with your Hosted Zone ID, us-east-1 with your VPC’s region, and vpc-0abcdef1234567890 with your VPC ID. This step grants permission for the other account’s VPC to be associated with the Hosted Zone.
Next, from the account that owns the VPC, proceed to associate the VPC to the Hosted Zone by running:
bash
aws route53 associate-vpc-with-hosted-zone –hosted-zone-id Z1234567890ABC –vpc VPCRegion=us-east-1,VPCId=vpc-0abcdef1234567890
Once the association is successful, go back to the account with the Hosted Zone and delete the authorization with:
bash
aws route53 delete-vpc-association-authorization –hosted-zone-id Z1234567890ABC –vpc VPCRegion=us-east-1,VPCId=vpc-0abcdef1234567890
If your VPC and Hosted Zone are in the same AWS account, then the problem is likely related to permissions. Make sure the IAM role or user performing the operation has policies allowing these actions:
json
{
“Effect”: “Allow”,
“Action”: [
“route53:AssociateVPCWithHostedZone”,
“ec2:DescribeVpcs”
],
“Resource”: “*”
}
Remember, the ec2:DescribeVpcs permission is necessary for the association to happen.
Keep these points in mind:
- Always create the authorization (
create-vpc-association-authorization) first before attempting the association. - If you’re automating with CloudFormation or CDK, you might need a custom resource to handle cross-account authorization, because native support is limited.
- Your VPC shouldn’t already be associated with another private hosted zone of the same domain name, or the association will fail.
Following these steps can help you troubleshoot and successfully connect your Private Hosted Zone to a VPC across AWS accounts.
ChatGPT
Perplexity
Gemini AI
Grok AI
